Helping our customers with Data Protection Impact Assessments

Data Protection Impact Assessments (DPIA’s) assess how data processing activities, typically introduced as new projects or systems, could impact individuals rights and freedoms. Completing a DPIA helps organisations identify and mitigate potential Data Protection risks these changes introduce. 

According to the United Kingdom’s Information Commissioner (ICO):

• You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing.
• It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

We often receive requests from our customers who want information to complete a DPIA. We are required to provide this information to them as a Data Processor under the General Data Protection Regulation (GDPR) . Our answers are based on the ICO template which we have found most organisations accept.

You can find our Data Protection Addendum at rg.co/agreements

You can find our Security Pack, containing everything needed for your due diligence at rg.co/security

If you are unsure if you need to complete a DPIA, or are still uncertain after reading our answers, we recommend that you consult with your Data Protection Officer or legal team. 

Describe the nature of the processing: how will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved?

We do not know how the information we are supplied was originally collected, but it is often your Human Resource Information System (HRIS) that provides the ‘source of truth’ for this data. 

At a minimum, we require one unique identifier and a verification question but you may provide us with more - this is what we refer to as ‘Customer Personal Data’ which we use to provide licenses to the Employee Engagement Platform we run.

Once you have shared the data with us, it will be automatically loaded into our databases within our infrastructure, hosted on Amazon Web Services. We do use sub-processors, and some of them are based outside of the European Economic Area. You can see details of those, including how we secure that transfer on the Sub-Processors Information document, at rg.co/agreements. 

We will retain this data for the duration of the contract, and remove it no later than 180 days after contract termination to allow for backups to be overwritten. During contract, we apply the Data Minimisation principle by removing accounts after 2 years of inactivity. 

Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?

The scope is usually your employees’ and contractors’ personal data. 

Depending on the products you take from us and how you intend to use them, the data sharing requirements may change. You can refer to this document for more detail, but it’s likely you will need to speak with the person in charge of the relationship with us and/or the assigned Implementation Specialist from Reward Gateway to fully understand the data sharing requirements. 

How you share that information with us can vary - we only support secure methods and those options span from a manual upload by an administrator, to being fully integrated and automated from your HRIS.

It is important that the data you share with us remains accurate, which means updating it regularly to account for any changes in your workforce - such as joiners and leavers. You can read more about that in the relevant article.

At Reward Gateway, we only grant access to customer data based on the principle of least privilege. The following teams will have access:

• Employee Support Team – able to view employee profiles, issue password resets, process orders and support tickets.
• Client Support Team – provides a similar role to an employer's HR team with ability to conduct the same activities on their behalf.
• Engineering – may require temporary access to production data for fault identification and review.

Describe the context of the processing: what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?

We publish Security related information in our Security Pack available at rg.co/security, which we hope will provide you with confidence that we are well equipped to handle sensitive data in a secure and ethical manner. 

• As an employer, there tends to be a power imbalance which makes Consent an inappropriate basis. We have an article covering this subject.
• If you are considering Legitimate Interest, it is best practise to complete a Legitimate Interest Assessment (LIA) also. The ICO has good resources on LIAs. 

Describe the purposes of the processing: what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing – for  you, and more broadly? 

This would be the project’s aim - the reason you have decided to take products from Reward Gateway, usually to improve Employee Engagement. 

Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Some of our customers involve a selection of employees from across their business and that can work very well. 

Describe compliance and proportionality measures, in particular: what is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?

To achieve data quality we suggest using your HRIS as a source of information and performing regular updates (ie. weekly or monthly - depending on your rate of staff turnover). This way, if an employee’s details change, they need only to update their information on your internal HR system, and those updates would be pushed out to us on a regular basis. 

Our Data Protection Agreement (rg.co/agreements) binds us to follow security procedures and organisational standards, as well as various required legal clauses that all processors must comply with under GDPR.

We publish a Privacy Notice on each of our programmes which is visible at all times in the footer and is highlighted at any point of data collection. However this Privacy Notice does not cover the data collection and transfer of ‘Customer Personal Data’ to Reward Gateway - that is the responsibility of our customers.

We provide ways in which our members can control their data while using Reward Gateway, such as updating their details in their Profile and exercising their right to access and erasure through self-service tools we have built. 

We do use sub-processors too, and some of them are based in the United States of America. You can see details of those, including how we secure that transfer on the Sub-Processors Information document, at rg.co/agreements.